is this a secure approach in ActiveRecords in Rails?

Posted by Adnan on Stack Overflow See other posts from Stack Overflow or by Adnan
Published on 2010-04-09T07:50:43Z Indexed on 2010/04/09 7:53 UTC
Read the original article Hit count: 240

Filed under:

ruby-on-rails

|

activerecord

|

best-practices

Hello,

I am using the following for my customers to unsubscribe from my mailing list;

  def index
    @user = User.find_by_salt(params[:subscribe_code]) 
    if @user.nil? 
      flash[:notice] = "the link is not valid...."
      render :action => 'index'
    else    
      Notification.delete_all(:user_id => @user.id)
      flash[:notice] = "you have been unsubscribed....."
      redirect_to :controller => 'home'
    end 
  end

my link looks like; http://site.com/unsubscribe/32hj5h2j33j3h333

so the above compares the random string to a field in my user table and accordingly deletes data from the notification table.

My question; is this approach secure? is there a better/more efficient way for doing this?

All suggestions are welcome.

© Stack Overflow or respective owner

Related posts about ruby-on-rails

Ruby on Rails - How can I start? [closed]

as seen on Programmers - Search for 'Programmers'
I have misconception in understanding the relationship between Ruby language and Ruby on Rails Framework. Because of 'I am an absolute beginner' in web development I have no idea if I have to grasp the fundamentals of Ruby before I go with Ruby on Rails! I also want to ask who is behind both Ruby… >>> More
DES3 decryption in Ruby on Rails

as seen on Stack Overflow - Search for 'Stack Overflow'
My RoR server receives a string, that was encrypted in C++ application using des3 with base64 encoding The cipher object is created so: cipher = OpenSSL::Cipher::Cipher::new("des3") cipher.key = key_str cipher.iv = iv_str key_str and iv_str: are string representations of key and initialization… >>> More
Ruby on rails: Image downloads with Authentication/Authorization/Time outs

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi Guys, I'm having few doubts on implementing file downloads. I'm creating an app where I use attachment_fu with Amazon s3 to upload files. Things are working pretty well so far on uploading side. Now its the time to start the file downloads. Here is what I need, a logged in user search and browse… >>> More
Ruby on Rails deployment, on "thin" server with lot of attachments

as seen on Stack Overflow - Search for 'Stack Overflow'
A lot of PDFs are stored inside MySQL as a BLOB field for each PDF file. The average file size is 500K each. The Rails app will stream the :binary data as file downloads, where there is a user click on the download link. Assume there is a maximum of 5 users downloading 5 PDFs concurrently, what… >>> More
Apply Behavior Driven Development to Ruby on Rails with Rspec

as seen on Internet.com - Search for 'Internet.com'
Applying the Behavior Driven Development (BDD) methodology to your Rails development takes you beyond traditional Test Driven Development. Learn how to do it with the Ruby-based BDD framework RSpec. >>> More

Related posts about activerecord

Rails & ActiveRecord: Appending methods to models that inherit from ActiveRecord::Base

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a standard ActiveRecord model with the following: class MyModel < ActiveRecord::Base custom_method :first_field, :second_field end At the moment, that custom_method is picked up by a module sent to ActiveRecord::Base. The functionality basically works, but of course, it attaches itself… >>> More
Rails ActiveRecord - Best way to perform an include?

as seen on Stack Overflow - Search for 'Stack Overflow'
I have three models: class Book < ActiveRecord::Base has_many :collections has_many :users, :through => :collections end class User < ActiveRecord::Base has_many :collections has_many :books, :through => :collections end class Collection < ActiveRecord::Base belongs_to… >>> More
Getting types of the attributes in an ActiveRecord object

as seen on Stack Overflow - Search for 'Stack Overflow'
I would like to know if it is possible to get the types (as known by AR - eg in the migration script and database) programmatically (I know the data exists in there somewhere). For example, I can deal with all the attribute names: ar.attribute_names.each { |name| puts name } .attributes just… >>> More
Changing ActiveRecord attribute value in before_save hook

as seen on Stack Overflow - Search for 'Stack Overflow'
I needed to fix the encoding of an ActiveRecord attribute and decided to do it in a before_save hook. And at this point I noticed an unexpected feature. When I wanted to change the value of the attribute, simple using the attribute_name=XY did not work as I expected. Instead of that I needed to use… >>> More
Conditions with whitespaces in activerecord find

as seen on Stack Overflow - Search for 'Stack Overflow'
So i am trying to do this Order.find :all, :conditions => "org = 'test org'" what ends up firing is SELECT * FROM `orders` WHERE (org = 'test org') the whitespace in the argument gets stripped. what am i missing.. im really stumped here. please help! >>> More